Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:24 PM
Dark Reading
Dark Reading
Products and Releases

Core Security Finds Vulnerability Trio In HP OpenView

Three vulnerabilities in HP OpenView Network Node Manager (NNM) can be exploited remotely via buffer overflow to compromise mission-critical servers within an organization using the software

BOSTON, MA " March 23, 2009 - Core Security Technologies, provider of CORE IMPACT solutions for comprehensive enterprise security testing, today issued an advisory disclosing multiple vulnerabilities that could affect millions of organizations using HP's OpenView systems and network management software.

An engineer from CoreLabs, the research arm of Core Security, determined that a trio of vulnerabilities in HP OpenView Network Node Manager (NNM) can be exploited remotely via buffer overflow to compromise mission-critical servers within an organization using the software. Upon making the discovery, CoreLabs immediately alerted HP's Software Security Response Team to the vulnerabilities and the two companies have since coordinated efforts to ensure that a patch could be created and made available to protect users of the program.

CoreLabs experts uncovered the trio of reported vulnerabilities in HP OpenView NNM, which offers remote network system event and performance monitoring, while investigating other previously reported flaws in the software, and an HP-issued security patch meant to address those issues.

HP OpenView NNM is one of the most widely-deployed remote network management technologies used throughout enterprise organizations today, allowing network managers to monitor their physical networks, virtual network services and the relationships between those assets. The software aims to help administrators identify, diagnose and predict potential problems before they affect network performance and availability.

"While remote network management technologies offer substantial value in terms of allowing organizations to maintain constant vigilance and control over their networks, the flipside is that attackers can potentially use available vulnerabilities in these systems to wreak havoc on internal infrastructure," said Ivan Arce, chief technology officer at Core Security. "It is vitally important for remote systems management solution providers to minimize these easily exploitable security flaws that can allow for remote system compromise."

Successful exploitation of the vulnerabilities requires that attackers send specially crafted HTTP requests to HP OpenView's web server component to execute arbitrary code on the target system.

HP has issued a security update that addresses the vulnerable OpenView NNM 7.51 and 7.53 versions of the solution.

Vulnerability Details While investigating the feasibility of exploiting a set of vulnerabilities previously disclosed in HP OpenView NNM by researchers at Secunia (CVE-2008-4559 , CVE-2008-4560 , CVE-2008-4561 , CVE-2008-4562 , CVE-2009-0205) and addressed by HP in a subsequent security advisory (c01661610), CoreLabs researchers discovered two additional, unreported buffer overflow vulnerabilities in the product.

Researchers also found during their reviews that one of the previously reported buffer overflow issues in OpenView NNM could still be exploited, even when the vendor-provided security patch designed to fix the problem was applied.

CoreLabs specifically found that OpenView NNM versions 7.51 and 7.53, and version 7.53 with the aforementioned HP security patch (NNM_01195) applied, all harbored the three reported vulnerabilities. CoreLabs concluded that the two heap-based buffer overflows reported were newly discovered vulnerabilities because the issues were not fixed with the latest security patch and were not mentioned in any existing advisories published by HP.

In the case of the third OpenView NNM vulnerability, which was first reported by Secunia and was addressed by HP in its advisory, CoreLabs researchers found that they were still able to successfully exploit the issue and create proof of concept code for doing so, even with the latest patch in place.

When first researching all the reported OpenView NNM buffer overflow vulnerabilities, CoreLabs experts found it difficult to differentiate whether the flaws they were investigating were indeed the same issues that HP had recently addressed in its security advisories. After researching the issue further and examining the technical underpinnings of the HP advisory, it became evident to CoreLabs that two of the problems were new, while one of the vulnerabilities may have been previously identified.

The complexity of this process highlights a challenge that faces the entire vulnerability research and IT security industry in terms of working with technology vendors in reporting and responding to vulnerability data.

"A general lack of sufficient technical information made available by both software and vulnerability research vendors about the specifics of vulnerabilities in their security advisories makes it such that many bulletins and publications only generate additional confusion among researchers who are attempting to dig deeper into the reported problems in order to assess risk more precisely; in this case it was difficult to discern which vulnerabilities had already been reported and remained unfixed, versus which were new," said Arce. "This has become a consistent, systematic problem that makes it very hard for subsequent researchers to differentiate one bug from another using data from publicly available security advisories."

The newly reported vulnerabilities, along with the ability to exploit the previously disclosed flaw, were first uncovered by Oren Isacson, a CoreLabs researcher and software engineer with the CORE IMPACT Exploit Writers Team. For more information on this vulnerability, please view the CORE-2009-0122 Security Advisory at http://www.coresecurity.com/content/openview-buffer-overflows.

About CoreLabs

CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. It conducts its research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Its results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs.

About Core Security Technologies

Core Security Technologies is the leader in comprehensive security testing software solutions that IT executives rely on to expose vulnerabilities, measure operational risk and assure security effectiveness. The company's CORE IMPACT product family offers a comprehensive approach to assessing the security of network systems, endpoint systems, email users and web applications against complex threats. All CORE IMPACT security testing solutions are backed by trusted vulnerability research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at: http://www.coresecurity.com.


Tim Whitman or Justin Drake Schwartz Communications 781 684-0770 [email protected]

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-03-05
SonicWall SSO-agent default configuration uses NetAPI to probe the associated IP's in the network, this client probing method allows a potential attacker to capture the password hash of the privileged user and potentially forces the SSO Agent to authenticate allowing an attacker to bypass firewall a...
PUBLISHED: 2021-03-05
An issue was discovered in IdentityModel (aka ScottBrady.IdentityModel) before 1.3.0. The Branca implementation allows an attacker to modify and forge authentication tokens.
PUBLISHED: 2021-03-05
An issue was discovered in channels/chan_sip.c in Sangoma Asterisk through 13.29.1, through 16.6.1, and through 17.0.0; and Certified Asterisk through 13.21-cert4. A SIP request can be sent to Asterisk that can change a SIP peer's IP address. A REGISTER does not need to occur, and calls can be hijac...
PUBLISHED: 2021-03-05
SonLogger before 6.4.1 is affected by user creation with any user permissions profile (e.g., SuperAdmin). An anonymous user can send a POST request to /User/saveUser without any authentication or session header.
PUBLISHED: 2021-03-05
SonLogger before 6.4.1 is affected by Unauthenticated Arbitrary File Upload. An attacker can send a POST request to /Config/SaveUploadedHotspotLogoFile without any authentication or session header. There is no check for the file extension or content of the uploaded file.